The Threat of Evasive Malware
|
|
- Laurel Walton
- 7 years ago
- Views:
Transcription
1 The Threat of Evasive Malware Lastline Labs February 25, 2013 Key Points Malware authors exploit the limited visibility of traditional malware analysis systems (sandboxes) to evade detection Stalling code is a novel evasion technique that delays the malware execution without invoking any system calls, thereby timing out existing sandboxes The problem of evasive code is increasing Introduction The fight against malicious code is an arms race. Whenever defenders introduce novel detection techniques, attackers strive to develop new ways to bypass them. Automated malware analysis systems (or sandboxes) are one of the latest weapons in the defenders arsenal. Such systems execute an unknown malware program in an instrumented environment and monitor their execution. While such systems have been used as part of the manual analysis process for a while, they are increasingly used as core of the detection process. The advantage of the approach is clear: It is possible to identify previously unseen (zero day) malware, as only the observed activity in the sandbox is used for detection. As dynamic analysis systems have become more popular, malware authors have responded by devising evasive techniques to ensure that their programs do not reveal any malicious activity when executed in such an automated analysis environment. Clearly, when malware does not show any unwanted activity during analysis, no detection is possible. Simple evasive techniques have been known for quite a while. For example, malware might check for the presence of a virtual machine, or it might query well-known Windows registry keys or files that reveal a particular sandbox. Other malware authors instructed their malware to sleep for a while, hoping that the sandbox would time out the analysis before anything interesting is happening. Security vendors reacted by adding some counter-intelligence of their own to their systems. They added hooks that would identify cases where malware queries for well-known keys, and they would force a program to wake up after it calls sleep. This approach worked reasonably well for a while, although it is fundamentally reactive in nature. That is, the malware analysis system needs to be manually updated to handle each new, evasive trick. As a result, malware authors who create zero day evasions can bypass detection until the sandbox is upgraded. Unfortunately, malware authors have recently introduced an evasive technique that can no longer be handled by current sandboxes (even if the trick is known). This new evasive
2 technique, which we refer to as stalling code, delays the execution of malicious code so that a sandbox times out. However, to do this, the malware does not simply sleep. Instead, the program performs some (useless) computation that gives the appearance of activity. Hence, there is no way for the sandbox to wake up the program. Also, there are no checks for artifacts in the environment that might reveal any evasive behavior. The program simply executes, and from the point of view of the malware analysis system, everything is normal. The key problem, and the reason for the fundamental limitation of current sandboxes, is their lack of visibility into the execution of a malware program. A good sandbox has to achieve two goals: Visibility and stealth. That is, a sandbox has to see as much as possible of the execution of a program. Moreover, it has to do this in a stealthy fashion. Otherwise, it is easy for malware to detect the presence of the sandbox and alter its behavior (as discussed above). Current sandbox implementations typically rely on a virtual environment that contains the guest operating system. Sometimes, a sandbox runs the operating system directly on a real machine. The malware program is started inside the guest OS. To monitor a program s activity, a sandbox introduces hooks. These hooks can be inserted directly into a program to get notifications (callbacks) for function or library calls. The problem with direct hooks is that the program code needs to be modified, and this can be detect by malware or interfere with dynamic code generation (unpacking). Most frequently, sandboxes hook system calls to monitor the interaction between a program and the operating system. This is quite stealthy, especially for user-mode malware. Moreover, system calls capture all interactions between a program and its environment (e.g., when files are read, registry keys are written, and network traffic is produced). The key problem with hooking system calls (or library functions) is that the sandbox is blind to everything that happens in between calls. That is, a traditional sandbox cannot see any instruction that the malware executes between calls. This is a significant blind spot that malware authors can target; and they do so with stalling code, which is code that runs between system calls. An alternative approach to increase the visibility into malicious code execution is to use a debugger. A debugger has the advantage that it can see every instruction that a program executes. Typically, these tools used by a human analyst to manually step through the code in order to understand its functionality. Unfortunately, debuggers are not stealthy, and malware programs already employ many techniques to detect running debuggers. Also, debuggers are mostly used for manual analysis, which does not scale to the number of samples that vendors receive. What is needed is an automated malware analysis system that delivers the visibility of a debugger, but that is as stealthy and easy to manage as a virtual execution environment (a traditional sandbox). To achieve this goal, Lastline relies on system emulation. With a system emulator, we gain the advantages of a virtual execution environment, but retain the ability to see every instruction. This is crucial to be able to automatically handle evasive checks as well as stalling code. Figure 1 shows an overview of the ability of different malware analysis techniques. In the following sections, we discuss in more depth the two main evasive techniques that malware used in the wild: environmental checks and stalling code.
3 Figure 1: Visibility versus stealth for different malware analysis approaches Environmental Checks Malware programs frequently contain checks that determine whether certain files or directories exist on a machine and only run parts of their code when they do. Others require that a connection to the Internet is established or that a specific mutex object does not exist. In case these conditions are not met, the malware may terminate immediately. This is similar to malicious code that checks for indications of a virtual machine environment, modifying its behavior if such indications are present in order to make its analysis in a virtual environment more difficult. Other functionality that is not invoked on every run are malware routines that are only executed at or until a certain date or time of day. Functionality can also be triggered by other conditions, such as the name of the user or the IP address of the local network interface. Environmental checks have been discussed among security vendors in the past, and malware authors share well-known checks on hacker forums. As an example for such an environmental check, consider the example in Figure 2 and Figure 3. Here, we see malicious code querying for the names of the attached disks, and checking these names for the presence of the string QEMU. If this comparison is true, the malware knows that it is running inside the Qemu virtual environment.
4 Figure 2: Malware enumerating registry keys for the disk Figure 3: The same malware checking for the presence of QEMU in the disk name Environmental checks typically require that malware reads some value from the operating system (its runtime environment). These values can be registry keys, such as the name of the disks in the example above. Other values are file names or names of running processes. Whenever a malware program reads some value from the operating system, it has to invoke a system call. A sandbox sees this system call, and hence, can manipulate the return value (typically, it is randomized). Thus, when a specific environmental check becomes known, security vendors can improve their sandbox to watch for it. While this reactive approach works to some extend, it is vulnerable to evasion when malware authors introduce novel (zero day) checks. This requires vendors to patch their sandbox, introducing a window of vulnerability.
5 To handle the problem of environmental checks, it is crucial to have a more detailed view into the execution of a malware program. In particular, it is necessary to monitor the execution of all instructions. If such a view is available, it is possible to automatically track the values that a program reads and trace how the program processes it. This allows the system to recognize program points where the continuation of the execution depends on previously read input. When such a program point (an environmental check) is encountered, the analysis can explore both possible continuations. In addition, the system can extract the conditions under which the program follows a particular execution path. Using this information, one can determine the circumstances under which a damage routine or a propagation function is executed. This allows the automated identification and bypass of environmental checks, irrespective of the actual check that is used. Stalling Code Stalling code is executed before any malicious behavior regardless of the execution environment. The purpose of such evasive code is to delay the execution of malicious activity long enough so that automated analysis systems give up on a sample, incorrectly assuming that the program is non-functional, or does not execute any action of interest. It is important to observe that the problem of stalling code affects all analysis systems, even those that are fully transparent. Moreover, stalling code does not have to perform any checks. Stalling code exploits two common properties of automated malware analysis systems: First, the time that a system can spend to execute a single sample is limited. Typically, an automated malware analysis system will terminate the analysis of a sample after several minutes. This is because the system has to make a trade-off between the information that can be obtained from a single sample, and the total number of samples that can be analyzed every day. Second, malware authors can craft their code so that the execution takes much longer inside the analysis environment than on an actual victim host. Thus, even though a sample might stall and not execute any malicious activity in an analysis environment for a long time (many minutes), the delay perceived on the victim host is only a few seconds. This is important because malware authors consider delays on a victim s machine as risky. The reason is that the malicious process is more likely to be detected or terminated by anti-virus software, an attentive user, or a system reboot. Figure 4: Stalling code in W32.DelfInj
6 Figure 4 shows a stalling loop implemented by real-world malware. As the sample was only available in binary format, we reverse engineered the malware program and manually produced equivalent C code. Since the executable did not contain symbol information, we introduced names for variables and functions to make the code more readable. While this malware calls functions as part of the loop, this does not have to be the case (as shown in Figure 5). Figure 5: Stalling loop without any function or system call Stalling code can only be recognized by analysis systems that have visibility into all instructions that a malware program executes. There are no obvious checks that can be seen at the system call level. To automatically detect stalling loops, and to ensure forward progress within the amount of time allocated for the analysis of a sample, one can use the following three-step approach. To this end, we introduce techniques to detect when a malware sample is not making sufficient progress during analysis. When such a situation is encountered, our system automatically examines the sample to identify the code regions that are likely responsible for stalling the execution. To this end, our system starts to dynamically record information about the addresses of instructions (code blocks) that are executed. Using these addresses, we build a (partial) control flow graph (CFG) of the non-progressing thread. This CFG is then searched for loops. For these code regions (and these regions only), costly logging is disabled. When this is not sufficient, we force the execution to take a path that skips (exits) the previously identified stalling code. In that case, we need to be careful, since the program could be in an inconsistent state. Malware authors could leverage these inconsistencies to expose the analysis system. To overcome this problem, we mark variables that are touched by the loop as potentially inconsistent. When such a variable is later used, we compute the proposer value on demand, by extracting a program slice.
7 Again, the key insight that allows us to automatically detect and mitigate stalling code is the fact that we see all instructions that are executing. Hence, we can identify stalling loops and actively interrupt their execution. Summary and Trends Malware authors have utilized simple evasion tricks for many years. These tricks mostly targeted public sandboxes and frustrated automated analysis by anti-virus vendors (who leverage sandboxes in the backend to aid signature generation). When sandboxes were introduced as the core of next generation APT detection offerings, attackers responded by developing novel evasive techniques, such as stalling code. Stalling code and novel environment triggers exploit the limited visibility of sandboxes and ensure that targeted attacks and zero day exploits remain successful. Figure 6 shows the fraction of samples with evasive behavior that we collected in our global analysis infrastructure over the last year. The growing trend is clearly visible. Figure 6: Increase of samples with evasive behaviors in 2012
8 , was founded in 2011 by university researchers Engin Kirda, Christopher Kruegel, and Giovanni Vigna. Lastline s security products synthesize and bring to commercial standards the founders award-winning, world-renowned academic research on malware analysis and attack countermeasures. The founders of Lastline are also the founders of iseclab, one of the top malware research organizations in the world, and are considered to be today s thought leaders on automated high-resolution malware analysis and detection. The founders are well-known for their development of Anubis and Wepawet, which are cloudbased malware analysis tools with a user base of thousands of corporations, government institutions, and security vendors. Lastline is focused on real-time analysis of advanced malware and on tracking the Internet s malicious infrastructure (the Malscape ). Lastline leverages this threat intelligence to create advanced malware defenses for companies of all sizes. By focusing on cloud-based automated systems and processes, Lastline has developed the technology to analyze advanced malware at an unprecedented speed and volume. This gives Lastline the ability to analyze binaries and web content as it enters enterprise networks, as well as the ability to map the Malscape at a level of accuracy and relevance previously not available. As a result, Lastline s technology is able to detect 0-day, targeted attacks and provides actionable threat intelligence to address the advanced malware problem. For more information send to: info@lastline.com Copyright All rights reserved worldwide.
Full System Emulation:
Full System Emulation: Achieving Successful Automated Dynamic Analysis of Evasive Malware Christopher Kruegel Lastline, Inc. chris@lastline.com 1 Introduction Automated malware analysis systems (or sandboxes)
More informationLASTLINE WHITEPAPER. In-Depth Analysis of Malware
LASTLINE WHITEPAPER In-Depth Analysis of Malware Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse).
More informationLASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages
LASTLINE WHITEPAPER Large-Scale Detection of Malicious Web Pages Abstract Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and,
More informationLASTLINE WHITEPAPER. Why Anti-Virus Solutions Based on Static Signatures Are Easy to Evade
LASTLINE WHITEPAPER Why Anti-Virus Solutions Based on Static Signatures Are Easy to Evade Abstract Malicious code is an increasingly important problem that threatens the security of computer systems. The
More informationyou us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services
MSSP you us are a Managed Security Service Provider looking to offer Advanced Malware Protection Services Lastline is the only company with 10+ years of academic research focused on detecting advanced
More informationCisco Advanced Malware Protection for Endpoints
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
More informationLASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains
LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way
More informationNetwork Threat Detection
Network Threat Detection DECEMBER 2015 Dennis Technology Labs www.dennistechnologylabs.com Follow @DennisTechLabs on Twitter.com This report aims to compare the effectiveness of a selection of threat detection
More informationCAS : A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY
CAS : A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY ABHILASH SREERAMANENI DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING SEOUL NATIONAL UNIVERSITY OF SCIENCE AND TECHNOLOGY
More informationBanking Security using Honeypot
Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information
More informationIMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE
IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle
More informationCisco Advanced Malware Protection for Endpoints
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
More informationCisco Advanced Malware Protection Sandboxing Capabilities
White Paper Cisco Advanced Malware Protection Sandboxing Capabilities What You Will Learn How sandboxing is a key part of network security when it operates as an integrated component of a complete solution.
More informationFighting Advanced Threats
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
More informationEfficient Detection of Split Personalities in Malware
Efficient Detection of Split Personalities in Malware Davide Balzarotti 1, Marco Cova 3, Christoph Karlberger 2 Christopher Kruegel 3, Engin Kirda 2, and Giovanni Vigna 3 1 Institute Eurecom, 2 Secure
More informationCisco Advanced Malware Protection. Ross Shehov Security Virtual Systems Engineer March 2016
Cisco Advanced Malware Protection Ross Shehov Security Virtual Systems Engineer March 2016 The Reality Organizations Are Under Attack and Malware Is Getting in 95% of large companies targeted by malicious
More informationLASTLINE WHITEPAPER. The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic
LASTLINE WHITEPAPER The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic Abstract A distinguishing characteristic of bots is their ability to establish a command and
More informationEXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY
EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY Dean Frye Sourcefire Session ID: SEC-W05 Session Classification: Intermediate Industrialisation of Threat Factories Goal: Glory,
More informationPractical Threat Intelligence. with Bromium LAVA
Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful
More informationWildFire. Preparing for Modern Network Attacks
WildFire WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends
More informationCan Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?
ANALYST BRIEF Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities? Author Randy Abrams Tested Products Avast Internet Security 7 AVG Internet Security 2012 Avira Internet Security
More informationSymantec Advanced Threat Protection: Network
Symantec Advanced Threat Protection: Network DR150218C April 2015 Miercom www.miercom.com Contents 1.0 Executive Summary... 3 2.0 Overview... 4 2.1 Products Tested... 4 2.2. Malware Samples... 5 3.0 How
More informationA White Paper from AccessData Group. Cerberus. Malware Triage and Analysis
A White Paper from AccessData Group Cerberus Malware Triage and Analysis What is Cerberus? Cerberus is the first-ever automated reverse engineering tool designed to show a security analyst precisely what
More informationIBM Advanced Threat Protection Solution
IBM Advanced Threat Protection Solution Fabio Panada IBM Security Tech Sales Leader 1 Advanced Threats is one of today s key mega-trends Advanced Threats Sophisticated, targeted attacks designed to gain
More informationBreaking the Cyber Attack Lifecycle
Breaking the Cyber Attack Lifecycle Palo Alto Networks: Reinventing Enterprise Operations and Defense March 2015 Palo Alto Networks 4301 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com
More informationSOFTWARE UPDATER A unique tool to protect your business against known threats
SOFTWARE UPDATER A unique tool to protect your business against known threats OVERVIEW This document explains the functionality of Software Updater. What it is, what it does, how it works, what gets patched
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationEndpoint Threat Detection without the Pain
WHITEPAPER Endpoint Threat Detection without the Pain Contents Motivated Adversaries, Too Many Alerts, Not Enough Actionable Information: Incident Response is Getting Harder... 1 A New Solution, with a
More informationDEC. 2015. Next Generation Security with Endpoint Detection and Response WHITE PAPER
DEC. 2015 Next Generation Security with Endpoint Detection and Response WHITE PAPER Table of Contents Endpoint Compromise a Sad State of Reality... 3 Traditional Endpoint Anti-virus Isn t Getting It Done...
More informationSECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning
SECURITY TERMS: Advisory - A formal notice to the public on the nature of security vulnerability. When security researchers discover vulnerabilities in software, they usually notify the affected vendor
More informationRSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst
ESG Lab Review RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst Abstract: This ESG Lab review documents
More informationTracking Anti-Malware Protection 2015
Tracking Anti-Malware Protection 2015 A TIME-TO-PROTECT ANTI-MALWARE COMPARISON TEST Dennis Technology Labs www.dennistechnologylabs.com Follow @DennisTechLabs on Twitter.com This report aims to measure
More informationThe Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director sfrei@secunia.com
The Fundamental Failures of End-Point Security Stefan Frei Research Analyst Director sfrei@secunia.com Agenda The Changing Threat Environment Malware Tools & Services Why Cybercriminals Need No 0-Days
More informationEC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.
CENTER FOR ADVANCED SECURITY TRAINING 619 Advanced SQLi Attacks and Countermeasures Make The Difference About Center of Advanced Security Training () The rapidly evolving information security landscape
More informationGetting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationTop 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath
ebook Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath Protecting against downstream fraud attacks in the wake of large-scale security breaches. Digital companies can no longer trust static login
More informationApplying machine learning techniques to achieve resilient, accurate, high-speed malware detection
White Paper: Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection Prepared by: Northrop Grumman Corporation Information Systems Sector Cyber Solutions Division
More informationThe Hillstone and Trend Micro Joint Solution
The Hillstone and Trend Micro Joint Solution Advanced Threat Defense Platform Overview Hillstone and Trend Micro offer a joint solution the Advanced Threat Defense Platform by integrating the industry
More informationThe Value of Physical Memory for Incident Response
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
More informationWHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform
WHITE PAPER Cloud-Based, Automated Breach Detection The Seculert Platform Table of Contents Introduction 3 Automatic Traffic Log Analysis 4 Elastic Sandbox 5 Botnet Interception 7 Speed and Precision 9
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationEnterprise Security Platform for Government
Enterprise Security Platform for Government Today s Cybersecurity Challenges in Government Governments are seeking greater efficiency and lower costs, adopting Shared Services models, consolidating data
More informationStephen Coty Director, Threat Research
Emerging threats facing Cloud Computing Stephen Coty Director, Threat Research Cloud Environments 101 Cloud Adoption is Gaining Momentum Cloud market revenue will increase at a 36% annual rate Analyst
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationThreat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products
Threat Intelligence: The More You Know the Less Damage They Can Do Charles Kolodgy Research VP, Security Products IDC Visit us at IDC.com and follow us on Twitter: @IDC 2 Agenda Evolving Threat Environment
More informationHow To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)
McAfee Security: Intrusion Prevention System REV: 0.1.1 (July 2011) 1 Contents 1. McAfee Network Security Platform...3 2. McAfee Host Intrusion Prevention for Server...4 2.1 Network IPS...4 2.2 Workload
More informationActive Threat Control
Active Threat Control Proactive Protection Against New and Emerging Threats Why You Should Read this White Paper The unprecedented rise of new threats has deemed traditional security mechanisms both ineffective
More informationWhy a Network-based Security Solution is Better than Using Point Solutions Architectures
Why a Network-based Security Solution is Better than Using Point Solutions Architectures In This Paper Many threats today rely on newly discovered vulnerabilities or exploits CPE-based solutions alone
More informationLearning Course Curriculum
Learning Course Curriculum Security Compass Training Learning Curriculum. Copyright 2012. Security Compass. 1 It has long been discussed that identifying and resolving software vulnerabilities at an early
More informationENABLING FAST RESPONSES THREAT MONITORING
ENABLING FAST RESPONSES TO Security INCIDENTS WITH THREAT MONITORING Executive Summary As threats evolve and the effectiveness of signaturebased web security declines, IT departments need to play a bigger,
More informationCisco Advanced Malware Protection
Solution Overview Cisco Advanced Malware Protection Breach Prevention, Detection, Response, and Remediation for the Real World BENEFITS Gain unmatched global threat intelligence to strengthen front-line
More informationREVOLUTIONIZING ADVANCED THREAT PROTECTION
REVOLUTIONIZING ADVANCED THREAT PROTECTION A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group GRANT ASPLUND Senior Technology Evangelist 1 WHY DO I STAND ON MY DESK? "...I stand upon my
More informationThis report is a detailed analysis of the dropper and the payload of the HIMAN malware.
PAGE 5 Check Point Malware Research Group HIMAN Malware Analysis December 12, 2013 Researcher: Overview This report is a detailed analysis of the dropper and the payload of the HIMAN malware. This malware
More informationDRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario
DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with
More informationBreach Found. Did It Hurt?
ANALYST BRIEF Breach Found. Did It Hurt? INCIDENT RESPONSE PART 2: A PROCESS FOR ASSESSING LOSS Authors Christopher Morales, Jason Pappalexis Overview Malware infections impact every organization. Many
More informationZero Trust Requires Effective Business-Centric Application Segmentation
Zero Trust Requires Effective Business-Centric Application Segmentation GET STARTED Zero Trust Requires Effective Business-Centric Application Segmentation To protect the network from today s sophisticated
More informationHost-based Intrusion Prevention System (HIPS)
Host-based Intrusion Prevention System (HIPS) White Paper Document Version ( esnhips 14.0.0.1) Creation Date: 6 th Feb, 2013 Host-based Intrusion Prevention System (HIPS) Few years back, it was relatively
More informationWHITE PAPER Big Data Analytics. How Big Data Fights Back Against APTs and Malware
WHITE PAPER Big Data Analytics How Big Data Fights Back Against APTs and Malware Table of Contents Introduction 3 The Importance of Machine Learning to Big Data 4 Addressing the Long-Tail Nature of Internet
More informationICTN 4040. Enterprise Database Security Issues and Solutions
Huff 1 ICTN 4040 Section 001 Enterprise Information Security Enterprise Database Security Issues and Solutions Roger Brenton Huff East Carolina University Huff 2 Abstract This paper will review some of
More informationIBM Security re-defines enterprise endpoint protection against advanced malware
IBM Security re-defines enterprise endpoint protection against advanced malware Break the cyber attack chain to stop advanced persistent threats and targeted attacks Highlights IBM Security Trusteer Apex
More informationMath vs. Malware. Is There A Better Way? Insights into how math can defeat malware. The Human Factor
Math vs. Malware Is There A Better Way? Insights into how math can defeat malware. Mathematics is a more powerful instrument of knowledge than any other that has been bequeathed to us by human agency.
More informationThe Advanced Cyber Attack Landscape
The Advanced Cyber Attack Landscape FireEye, Inc. The Advanced Cyber Attack Landscape 1 Contents Executive Summary 3 Introduction 4 The Data Source for this Report 5 Finding 1 5 Malware has become a multinational
More informationAdvanced Threat Protection with Dell SecureWorks Security Services
Advanced Threat Protection with Dell SecureWorks Security Services Table of Contents Summary... 2 What are Advanced Threats?... 3 How do advanced threat actors operate?... 3 Addressing the Threat... 5
More informationThe Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud
The Advanced Attack Challenge Creating a Government Private Threat Intelligence Cloud The Advanced Attack Challenge One of the most prominent and advanced threats to government networks is advanced delivery
More informationThe Global Attacker Security Intelligence Service Explained
White Paper How Junos Spotlight Secure Works The Global Attacker Security Intelligence Service Explained Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3 Introduction...3
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More information[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks
TLP: GREEN Issue Date: 1.12.16 Threat Advisory: Continuous Uptick in SEO Attacks Risk Factor High The Akamai Threat Research Team has identified a highly sophisticated Search Engine Optimization (SEO)
More informationSecurity and Protection in Real-Time
Security and Protection in Real-Time Product White Paper Aug 29, 2006 ParetoLogic Anti-Spyware offers an advanced set of tools designed to protect your computer from spyware threats. There are two lines
More informationScanless Vulnerability Assessment. A Next-Generation Approach to Vulnerability Management
Scanless Vulnerability Assessment A Next-Generation Approach to Vulnerability Management WHITEPAPER Overview Vulnerability scanning, or the process of identifying a list of known security gaps in the network
More informationThe 2014 Next Generation Firewall Challenge
Network World and Robin Layland present The 2014 Next Generation Firewall Challenge Guide to Understanding and Choosing a Next Generation Firewall to Combat Today's Threats 2014 The 2014 Next Generation
More informationCheck Point: Sandblast Zero-Day protection
Check Point: Sandblast Zero-Day protection Federico Orlandi Itway Support Engineer 2015 Check Point Software Technologies Ltd. 1 Check Point Threat Prevention SandBlast IPS Antivirus SandBlast stops zero-day
More informationOnline Payments Threats
July 3, 2012 Introduction...2 Tested Products...2 Used Configuration...3 Real Malware Inspiration...3 Total Scores Chart...4 Conclusion...4 About matousec.com...4 Detailed Descriptions of Tests...5 Detailed
More informationWeb site security issues White paper November 2009. Maintaining trust: protecting your Web site users from malware.
Web site security issues White paper November 2009 Maintaining trust: protecting your Page 2 Contents 2 Is your Web site attacking your users? 3 Familiar culprit, new MO 6 A look at how legitimate Web
More informationFile Disinfection Framework (FDF) Striking back at polymorphic viruses
File Disinfection Framework (FDF) Striking back at polymorphic viruses 1 CONTENTS Introduction 3 File Disinfection Framework (FDF) 4 Disinfection solution development today 5 Goals 6 Target audience 6
More informationTechnical White Paper: Running Applications Under CrossOver: An Analysis of Security Risks
Technical White Paper: Running Applications Under CrossOver: An Analysis of Security Risks Wine, Viruses, and Methods of Achieving Security Running Windows software via CrossOver is, on average, much safer
More informationHow Lastline Has Better Breach Detection Capabilities. By David Strom December 2014 david@strom.com
How Lastline Has Better Breach Detection Capabilities By David Strom December 2014 david@strom.com The Internet is a nasty place, and getting nastier. Current breach detection products using traditional
More informationThe Sophos Security Heartbeat:
The Sophos Security Heartbeat: Enabling Synchronized Security Today organizations deploy multiple layers of security to provide what they perceive as best protection ; a defense-in-depth approach that
More informationDetecting the Presence of Virtual Machines Using the Local Data Table
Detecting the Presence of Virtual Machines Using the Local Data Table Abstract Danny Quist {chamuco@gmail.com} Val Smith {mvalsmith@metasploit.com} Offensive Computing http://www.offensivecomputing.net/
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationCommtouch RPD Technology. Network Based Protection Against Email-Borne Threats
Network Based Protection Against Email-Borne Threats Fighting Spam, Phishing and Malware Spam, phishing and email-borne malware such as viruses and worms are most often released in large quantities in
More informationAddressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model
White Paper Addressing the Full Attack Continuum: Before, During, and After an Attack It s Time for a New Security Model Today s threat landscape is nothing like that of just 10 years ago. Simple attacks
More informationCovert Operations: Kill Chain Actions using Security Analytics
Covert Operations: Kill Chain Actions using Security Analytics Written by Aman Diwakar Twitter: https://twitter.com/ddos LinkedIn: http://www.linkedin.com/pub/aman-diwakar-ccie-cissp/5/217/4b7 In Special
More informationSPEAR PHISHING AN ENTRY POINT FOR APTS
SPEAR PHISHING AN ENTRY POINT FOR APTS threattracksecurity.com 2015 ThreatTrack, Inc. All rights reserved worldwide. INTRODUCTION A number of industry and vendor studies support the fact that spear phishing
More informationThe Ultimate Reason Why Hackers Are Winning The Mobile Malware Battle
SESSION ID: HTA-R03 The Ultimate Reason Why Hackers Are Winning The Mobile Malware Battle Yair Amit CTO & Co-Founder Skycure Adi Sharabani CEO & Co-Founder Skycure Agenda Evolution of mobile malware Malware
More informationWhite Paper. Runtime Application Self Protection Making Apps Self Protecting, Self Diagnosing and Self Testing
White Paper Runtime Application Self Protection April 2015 White Paper: Runtime Application Self Protection Making Aps Self Protecting, Self Diagnosing and Self Testing EXECUTIVE SUMMARY THE JAVA PROBLEM
More informationSmall Business Anti-Virus Protection
Small Business Anti-Virus Protection JULY - SEPT 2015 Dennis Technology Labs www.dennistechnologylabs.com Follow @DennisTechLabs on Twitter.com This report aims to compare the effectiveness of anti-malware
More informationTaking a Proactive Approach to Patch Management. B e s t P r a c t i c e s G u i d e
B e s t P r a c t i c e s G u i d e It s a fact of business today: because of the economy, most organizations are asking everyone, including the IT staff, to do more with less. But tight budgets and the
More informationIBM Internet Security Systems Supports Microsoft Vista s Kernel-Locking for Improved Customer Security
IBM Internet Security Systems White Paper IBM Internet Security Systems Supports Microsoft Vista s Kernel-Locking for Improved Customer Security IBM Internet Security Systems Supports Microsoft Vista 1
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationSandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
More informationSecurity Intelligence Services. Cybersecurity training. www.kaspersky.com
Kaspersky Security Intelligence Services. Cybersecurity training www.kaspersky.com CYBERSECURITY TRAINING Leverage Kaspersky Lab s cybersecurity knowledge, experience and intelligence through these innovative
More informationReduce Your Virus Exposure with Active Virus Protection
Reduce Your Virus Exposure with Active Virus Protection Executive Summary Viruses are the leading Internet security threat facing businesses of all sizes. Viruses spread faster and cause more damage than
More informationUnified Security, ATP and more
SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users
More informationAdvanced Endpoint Protection Overview
Advanced Endpoint Protection Overview Advanced Endpoint Protection is a solution that prevents Advanced Persistent Threats (APTs) and Zero-Day attacks and enables protection of your endpoints by blocking
More informationDefending Against Cyber Attacks with SessionLevel Network Security
Defending Against Cyber Attacks with SessionLevel Network Security May 2010 PAGE 1 PAGE 1 Executive Summary Threat actors are determinedly focused on the theft / exfiltration of protected or sensitive
More informationAdi Hayon Tomer Teller
Adi Hayon Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory in a remote process (and write to it) Executes the code in that memory region Frees the code Memory dump
More informationDriving Success in 2013: Enabling a Smart Protection Strategy in the age of Consumerization, Cloud and new Cyber Threats. Eva Chen CEO and Co-Founder
Driving Success in 2013: Enabling a Smart Protection Strategy in the age of Consumerization, Cloud and new Cyber Threats Eva Chen CEO and Co-Founder Consistent Vision for 25 Years A world safe for exchanging
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationNext Generation Firewalls and Sandboxing
Next Generation Firewalls and Sandboxing Joe Hughes, Director www.servicetech.co.uk Summary What is a Next Generation Firewall (NGFW)? Threat evolution Features Deployment Best practices What is Sandboxing?
More information